The MU program incentivizes providers to use certified electronic health information technology. The program’s ultimate goal is a health IT infrastructure that improves care quality, reduces costs, and promotes patient safety. Development of the MU program has sought to balance these goals with minimizing burdens on health care providers. Accordingly, compliance with stage 3 requirements will be optional for providers in 2017 and mandatory in 2018. The NPRM does stipulate that providers will not be able to qualify partially by meeting some of the standards, or to pick which standards to meet from an optional menu as they were able to do in MU stages one and two. But the stage 3 objectives and criteria are disappointing. Here are the objectives: protecting patient health information, eprescribing, clinical decision support, computerized provider order entry, patient electronic access to health information, coordination of care through patient engagement, health information exchange, and public health and clinical data registry reporting. And here are the most important measures under the objectives:

For privacy: annual security risk assessments for ePHI in the certified EHR.

For eprescribing: continuation of the Stage 2 standard with the goal of still higher compliance than the current 80% level. In states where eprescribing of controlled substances is legal, providers may include these prescriptions in their calculations of the percentages of prescriptions transmitted electronically but are not required to do so.

For clinical decision support: the NPRM continues the stage 2 approach of giving providers considerable flexibility about which clinical decision supports to implement and at what junctures in their practices. Providers must implement at least five interventions related to clinical quality measures. A required implementation is functionality for drug-drug and drug-allergy interactions. Providers are not required to report improvement. Rather, they are to set goals internally and are urged to set these goals in terms of outcome rather than process measures.

For computerized provider order entries: continuation of the stage 2 objective requiring CPOE of medication (80% of orders), laboratory (60%), and radiology orders (60%). Radiology orders are expanded to include all diagnostic imaging.

For patient electronic access to health information: providing the ability of patients (or their personal representatives) (80%) to view, download, and transmit their health information and to identify relevant patient-specific education resources (35%). These measures recognize the importance of personal representatives in care as well as the need to authenticate these representatives and their authority but do not propose any means for implementing this central privacy protection. The NPRM also proposes to permit providers to use a variety of certified application-program interfaces (APIs) to support patient data access and exchange. This will enable patients to receive information in a variety of formats that may be useful to them—but raises significant privacy questions if patients are enabled to transfer information to entities not within the scope of HIPAA protection. ONC seeks comments on several possible alternatives with respect to APIs.

For coordination of care through patient engagement: functionality for secure dialogue and communication with patients including that 25% of patients either view, download, and transmit their PHI or access their health information through a certified API; that 35% of patients receive secure messages; and that 15% of patients enter patient-generated health data or other data from a non-clinical setting into the EHR. These measures also rely heavily on APIs. ONC’s discussion does not consider the privacy issues raised by patients entering their health information into the myriad of devices available in non-clinical settings. ONC is more interested in comments addressing providers’ ease in measuring patient access to health information through APIs, in standardization of patient-entered data, and in providers’ ability to verify the provenance of the data.

For health information exchange: ensuring that a summary of care record is captured electronically and incorporated into the EHR for patients seeking care among different providers. Summaries of care must include current problem list, medications, and allergies. Required percentages vary depending on whether the patient is a new patient or a referral. ONC seeks comments on governance structures for information exchange.

For public health and clinical data registry reporting: demonstrating “active engagement” with public health agencies or clinical data registries (such as cancer registries) by “being in the process of moving towards” sending data generated through clinical processes to these agencies. Ways to meet this objective are completing registration to submit data, testing and validating electronic submission of data, or actually submitting data electronically. Types of reporting include immunizations with bidirectional functionality so that providers can also receive information about a patient’s immunizations, syndromic surveillance, case reports, public health registry reports, clinical data registry reports, and electronic reportable laboratory results. ONC also plans to develop a central repository on public health readiness.

Somewhat less fully addressed in the NPRM are robust capacities for comparative effectiveness research, quality improvement, or successful collection of information for public health purposes. There is no assurance that by meeting certification standards EHRs will be genuinely interoperable. And why is patient engagement the primary method for improving coordination of care? These are all left to the ongoing process for certifying EHRs, which to date has arguably responded to the interests of providers and industry rather than to overall improvement of critical public goals, although ONC’s most recent certification NPRM contains some impressive advances. The NPRM for EHR certification (published in the same issue of the Federal Register as the MU-3 NPRM) is the subject of Part 2 of these posts on developments in health IT.

Enter Congress with the CURES bill, for better or for worse. I will write more about CURES in Part 3 of these posts.

Post navigation

The viewpoints and opinions expressed in this blog are primarily those of the authors and are not necessarily endorsed by the University of Utah S.J. Quinney College of Law or the Center for Law and Biomedical Sciences. Thoughtful responses are welcome.

Recent Blog Posts

By Brian Flach for BioLawToday.org By now, everyone has seen the fallout of Hurricane Harvey. The acts of heroism, the widespread destruction, but most importantly, the reminders that we as people want to help each other. This is evident in how blood drives seem to spring up overnight, both locally and across the country, to […]